Audit for Information Systems Security
|
|
- Alvin Freeman
- 8 years ago
- Views:
Transcription
1 Informatica Economică vol. 14, no. 1/ Audit for Information Systems Security Ana-Maria SUDUC 1, Mihai BÎZOI 1, Florin Gheorghe FILIP 2 1 Valahia University of Targoviste, Targoviste, Romania, 2 Romanian Academy-INCE &BAR, Bucharest, Romania, suduc@ssai.valahia.ro, bizoi@ssai.valahia.ro, ffilip@acad.ro The information and communication technologies advances made available enormous and vast amounts of information. This availability generates also significant risks to computer systems, information and to the critical operations and infrastructures they support. In spite of significant advances in the information security area many information systems are still vulnerable to inside or outside attacks. The existence of an internal audit for information system security increases the probability of adopting adequate security measures and preventing these attacks or lowering the negative consequences. The paper presents an exploratory study on informatics audit for information systems security. Keywords: Information System Risks, Audit, Security 1 Introduction The digital world phenomenon, on the one hand, offers tremendous benefits, but on the other, it also creates significant and unprecedented risks. Web technology allows users quick and inexpensive access to a large amount of information provided on websites, digital libraries or other sources of data [1]. The same factors that generate the benefits speed and accessibility if not properly controlled can leave the information systems (IS) vulnerable to fraud, sabotage, and malicious or mischievous acts [2]. There are many and varied security techniques which can be applied. The selection of one or a set of security techniques must be done according to the potential risks. Therefore, the first step to provide security is to identify the risks. Afterwards there must be selected those techniques (usually only one security measure is not enough) which together will provide the appropriate level of security for the data, for the systems and for the organization. A risk-based audit program will improve the organization security system. 2 Security risks There are two categories of risks against which an information system must be protected: physical risks and logical risks. The physical risks, which are related more with the equipment than with the information system itself, includes natural disasters such as earthquakes, hurricanes, tornadoes and floods, as well as other dangers such as bombings, fires, power surges, theft, vandalism and unauthorized tampering. Champlain [3] identified a list of controls that protect the information systems against these physical threats. These controls are: various types of locks, insurance coverage over hardware and the costs to recreate data, procedures to perform daily backups of the information system and data, off-site storage and rotation of the backup media to a secure location, and current and tested disaster recovery programs. The logical risks refers to unauthorized access and accidental or intentional destruction or alteration of the information system and data. These threats can be mitigated through logical security controls which restrict de access capabilities of users of the system and prevent unauthorized users from accessing the system. All these measures are even more important in case of critical information systems. According to Symantec [4], organizations today must address four main types of IT risks: security risks, availability risks, performance risks and compliance risks. The security risks represent the unauthorized access to information: data leakage, data privacy, fraud, and endpoint security. The security risks include also broad external threats, such as viruses, as well as more targeted attacks upon specific applications, specific users, and specific information. An Ernst and Young survey showed that security incidents can cost companies between 17 and 28 millions of dollars for each occurrence ([5] quoted by [6]). Another survey made during 13 years [7] with the help of 522 computer security practitioners in U.S. showed that virus incidents occurred most frequently (at 49% of the respondents organizations). The second-most frequently occurred incidents were insider abuse of networks (44%) followed by theft of laptops and other mobile devices (42%). Figure 1 presents the key type of in-
2 44 Informatica Economică vol. 14, no. 1/2010 cidents. Other authors [8] [6] [9] also observed that, even the companies security measures are focused on outside threats, a great percent of the risks, which sometimes exceeds 50% from the total number of risks, are originating from legitimate network users. Fig. 1. Key type of incidents [7] In 2008, a study made in Romania at Valahia University of Targoviste [1], on 126 technical engineering students, showed a high intentionality of information system misuse (46%). Regarding the motivation for IS misuse (Fig. 2), 41% motivated curiosity, 31% personal gain without the intention to hurt someone, 25% intellectual challenge, 3% answered personal gain being aware of the negative consequences on others or on company, and none of the engineering students answer that they would intentionally harm others or the company. Fig. 2. Motivation for IS misuse These results show that the security practitioners must give a significant attention to the measures which mitigate the insider threats. Another interesting observation of this study was that most of the IS users are not aware of the ICT related risks or the IS security measures. For example to the question regarding to which extent they consider as a risk (from 1 to 5) the inside of the company attacks and the outside attacks, the respondents gave only 37% grades of 4 and 5 to the inside attacks and 31% to the outside attacks. 3 Audit for IS Security Lampson [10] noticed that, in spite of significant advances in the information security area, such as subject/object access matrix model, access control lists, multilevel security using information flow and the star-property, public key cryptography, and cryptographic protocol, the many information systems are vulnerable to inside or outside attacks. Security setup takes time, and it contributes nothing to useful output and, therefore, if the setup is too permissive no one will notice unless there s an audit or an attack. This observa-
3 Informatica Economică vol. 14, no. 1/ tion highlights the necessity of an internal audit for information system security in each organization. Mukaila Apata, System Auditor and Security Administrator with over 18 years of experience consider [11] that three areas of the computer activity should be monitored on a regular basis: user access control, system activity monitoring, and the audit trail. These activities are closed to the basic mechanisms for implementing security proposed by [10]: (a) authenticating principals ( Who said that? or Who is getting that information? - people, groups, machines, or programs); (b) authorizing access ( Who is trusted to do which operations on this object? ) and (c) auditing the decisions of the guard ( what happened and why ). The aim of security in the user access control area is to optimize productive computer time, mitigate de risk of error and fraud, eliminate unauthorized access and secure the confidentiality of information. It is also obvious the necessity to permanently monitor the system activity because the malicious acts of sabotage or fraud are more likely to occur, if there are low chances of detection. Apata indicated four questions which must be asked on probable areas of risk: (1) Could this happen here? (2) How? (3) Are security measures adequate to prevent/detect the threat? (4) How can we improve on the measures? [11]. The utilization of effective system security and controls can reduce considerable the incident occurrence and/or negative consequences by increasing the possibility of prevention and detection. Another important security action is to maintain detailed logs of who did and when and also if there are any attempted security violations. All these information are very important for the system auditor. 3.1 Audit standards According to ISO/IEC , IT network security - Part 3: Security communications between networks using security gateways, audit is a formal inquiry, formal examination, or verification of facts against expectations, for compliance and conformity. Audit [12] is a formal inspection and verification to check whether a Standard or set of Guidelines is being followed, that Records are accurate, or that Efficiency and Effectiveness targets are being met. An Audit may be carried out by internal or external groups. ISO reserved a series of standards, ISO 27000, for information security matters [13]: ISO 27001, published in October 2005, was created to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System ; ISO 27002, the rename of the ISO standard, is a code of practice for information security which established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization ; ISO is still in the proposal phase and aims to provide help and guidance in implementing an Information Security Management System; ISO was published in December 2009, and provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented information security management system and controls, as specified in ISO 27001; ISO provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001; ISO 27006, with the formal title formal "Information technology - Security techniques. Requirements for bodies providing audit and certification of information security management systems", is intended to be used in conjunction with a number of others standards and offers guidelines for the accreditation of organizations which offer certification and registration with respect to an Information Security Management System. This standard documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements. The most known and mature of these series of standards are the first two: ISO and ISO There are also other closely related standards, such as ISO 17021, BS7799-3, ISO 24760, ISO and BS The ISO focus on eleven control clauses: (1) security policy; (2) organization of information security; (3) asset management; (4) human resources security; (5) physical security; (6) communications and ops management; (7) access control; (8) information systems acquisition, development, maintenance; (9) information security incident management; (10) business continuity and (11) compliance. Calder [14] observed that policy is owned by top
4 46 Informatica Economică vol. 14, no. 1/2010 management and the other control clauses are operational responsibilities and he represented the relationship between the control clauses (Fig. 3). Fig. 3. Relationship between the control clauses 3.2 Audit plan A security audit has the main objectives [15] to: Check the existence security policy, standards, guidelines and procedures; Identify the inadequacies and examine the effectiveness of the existing policy, standards, guidelines and procedures; Identify and understand the existing vulnerabilities and risks; Review existing security controls on operational, administrative and managerial issues, and ensure compliance to minimum security standards; Provide recommendations and corrective actions for improvements. In order to ensure compliance of security policy and to determine the minimum set of controls required to reduce the risks to an acceptable level, the security audits should be conducted periodically (vulnerabilities and threats change with time and environment) [15]. The audits can be new installation / enhancement audits, regular audits, random audits or non-office hour audits. The techniques used to the auditing process can include automated auditing tools (ready-made security audit systems and/or security auditors' own developed tools) or there can be manual review techniques (e.g. social engineering attacks and auditing checklists). An audit process may include several steps. 3D Networks [16] proposed an audit process in seven steps (figure 4): (1) vulnerability scanning - scanning the infrastructure, (2) report audit - auditing reports like logs, intrusion detection systems reports, etc., (3) security architecture audit - auditing the existing security architecture, (4) baseline auditing - auditing the security setup to verify that it is in accordance with the security baseline of the organization, (5) internal control and workflow audit - auditing the existing workflow, (6) policy audit - auditing the security policy to ensure that it is in line with the business objective and (7) threat/risk assessment assessment of the various risks and threats facing the company s information systems. During and at the end of the auditing process a series of reports may be elaborated: a report with the vulnerabilities identified in the organization information system, a report with the threats and risks the organization faces as a result of the existing vulnerabilities including faulty policy, architecture, etc., and an audit report which gives the security overview and the results of all the audits. Another perspective on the security audit process is provided by [15] which divides the audit in six steps: (1) planning - to determine and select effective and efficient methods for performing the audit and obtaining all necessary information; (2) collecting audit data - to determine how much
5 Informatica Economică vol. 14, no. 1/ and what type of information to be captured, and how to filter, store, access and review the audit data and logs; (3) performing audit tests - general review on the existing security policies or standards/security configurations/technical investigation; (4) reporting for audit results present the current security environment; (5) protecting audit data & tools - safeguard the audit data and tools for the next audit or future use; (6) making enhancements and follow-up - make corrective actions if required. Fig. 4. Audit process The security audit process is becoming more difficult to undertake with the growing complexity of information systems. There are automated auditing tools which significantly facilitates this process. 4 Conclusions There are many and varied security techniques which can be applied. The selection of a set of security techniques must be done according to the potential risks. But in order to provide properly and effective protection to the organization assets, the security system (measures) must be assessed. Internal or external, a security audit is one of the best ways to determine the security efficiency. There are a number of security audit standards which specify procedures that should be followed to ensure that IT resources are adequately safeguarded. With still high losses due to inadequate IS security, a security audit must be considered by any organization. References [1] A. M. Suduc, M. Bizoi and F. G. Filip, Ethical Aspects on Software Piracy and Information and Communication Technologies Misuse, Preprints of IFAC SWIIS Conference, Bucharest, [2] NSAA and GAO. (2001, December). Management Planning Guide for Information Systems Security Auditing. Retrieved January 2010, from U. S. Government Accountability Office, Available at: special.pubs/mgmtpln.pdf [3] J. J. Champlain, Auditing information systems, second ed., Hoboken, New Jersey: John Wiley & Sons, [4] A. M. Suduc and F. G. Filip, Riscuri ale utilizarii inadecvate a sistemelor informatice (Risks of Information Systems Misuse), Studii si cercetari economice, No. 72, [5] A. Garg, J. Curtis and H. Halper, Quantifying the Financial Impact of IT Security Breaches, Information Management & Computer Security, Vol. 11,
6 48 Informatica Economică vol. 14, no. 1/2010 No. 2, 2004, pp [6] P. Z. Manrique de Lara and D. V. Tacoronte, Supervising Employee Misuse of Information Systems in the Workplace: An Organizational Behavior Study, Empresa global y mercados locales: XXI Congreso Anual AEDEM. 1, Madrid: Universidad Rey Juan Carlos, 2007, pp [7] R. Richardson, CSI Computer Crime & Security Survey, 2008, Retrieved January 2010, from Department of Computer Science and Engineering, Available at: gs/csisurvey2008.pdf [8] J. D'Arcy, Improving Information Systems Security through Procedural and Technical Countermeasures, 2005, Retrieved June 23, 2009, from Irwin L. Gross ebusiness Institute, Temple University, Available at: ResearchReports/ISSecurityMeasures.pdf [9] V. Gawde, Information Systems Misuse - Threats & Countermeasures, 2004, Retrieved January 2010, from InfosecWriters, Available at: text_resources/pdf/information_systems_mis use.pdf [10] B. W. Lampson, Computer Security in the Real World, Proceedings of the Annual Computer Security Applications Conference, [11] M. Apata, The Essence of Information System Security and Audit. Retrieved January 2010, from Jidaw.com, Available at: [12] ITIL V3. Service Design, Office of Government Commerce (OGC), [13] ISO, The ISO Directory, 2009, Retrieved 2010, from [14] A. Calder, Information Security Based on ISO 27001/ISO A Management Guide (2nd ed.), Zaltbommel: Van Haren Publishing, [15] OGCIO, Security Risk Assessment and Audit Guidelines, 2006, Retrieved January 2010, from Office of the Government Chief Information Officer, Available at: ad/g51_pub.pdf [16] Networks, 3. (n.d.), Security Audit. Retrieved 2010 February, from Scribd, Available at: doc/ /security-network-audit-steps Ana-Maria SUDUC is currently assistant at the Automatic Control, Informatics and Electrical Engineering Department, Electrical Engineering Faculty, Valahia University of Targoviste, Romania. She has been involved in different ICT projects (research and educational) at national and international level. Her current research interests include interfaces for decision support systems, group decision support systems, and web interfaces. Mihai BÎZOI is currently assistant at the Automatic Control, Informatics and Electrical Engineering Department, Electrical Engineering Faculty, Valahia University of Targoviste, Romania. He was/is involved in different ICT projects (research and educational) at national and international level. His current research interests include communications-driven decision support systems, group decision support systems, and web collaborative technologies. Florin Gheorghe FILIP took his MSc and PhD in control engineering from the TU Politehnica of Bucharest. In 1991 He was elected as a member of the Romanian Academy (RA). He has been a scientific researcher at the National R&D Institute in Informatics (ICI) of Bucharest. Currently he is a parttime researcher at the National Institute of Economic Researches (INCE) of the RA, also the director of the Library of the Academy. He was elected as vice-president of RA in 2000 and re-elected in 2002 and His main scientific interests include large scale systems, decision support systems, technology management and foresight.
ISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationSecurity Risk Management - Approaches and Methodology
228 Informatica Economică vol. 15, no. 1/2011 Security Risk Management - Approaches and Methodology Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania ramona.stroie@gmail.com,
More informationISO 27000 Information Security Management Systems Foundation
ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality
More informationInformation System Audit Guide
Australian Government Department of Defence Information System Audit Guide VERSION 11.1 January 2012 Commonwealth of Australia 2011 Page 1 TABLE OF CONTENTS 1. INTRODUCTION TO ACCREDITATION...4 2. THE
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationAdvantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches
Chinese Business Review, ISSN 1537-1506 December 2011, Vol. 10, No. 12, 1106-1110 D DAVID PUBLISHING Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches Stroie Elena
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationInformation Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationEnterprise Security Management. IT risks put business at risk.
Enterprise Security Management. IT risks put business at risk. Risk management and IT. More than just security products and services. Today, many different business processes would hardly be conceivable
More informationGAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior
GAO United States General Accounting Office Report to the Secretary of the Interior July 2001 INFORMATION SECURITY Weak Controls Place Interior s Financial and Other Data at Risk GAO-01-615 United States
More informationAnalysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds
Original Article Healthc Inform Res. 2010 June;16(2):89-99. pissn 2093-3681 eissn 2093-369X Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds Woo-Sung
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationChapter 4 Information Security Program Development
Chapter 4 Information Security Program Development Introduction Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival.
More informationInformation Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1
APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationResearch Imperatives
Research Imperatives Areas of Research Needed in Information Security Julie J.C.H. Ryan, D.Sc. Assistant Professor The George Washington University What We Know Technology Fabulous research going on in
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationInformation Security Policy
Office of the Prime Minister document CIMU P 0016:2003 Version: 2.0 Effective date: 01 Oct 2003 Information 1. statement i) General The Public Service of the Government of Malta (Public Service) shall
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationDepartment of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus
Department of Computer & Information Sciences INFO-450: Information Systems Security Syllabus Course Description This course provides a deep and comprehensive study of the security principles and practices
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationINFORMATION SYSTEMS. Revised: August 2013
Revised: August 2013 INFORMATION SYSTEMS In November 2011, The University of North Carolina Information Technology Security Council [ITSC] recommended the adoption of ISO/IEC 27002 Information technology
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationWalton Centre. Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt. Monitoring & Audit
Page 1 Walton Centre Monitoring & Audit Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt Page 2 Table of Contents Section Contents 1 Introduction 2 Responsibilities Within This
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationSECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our
ENDNOTE ONLINE SECURITY OVERVIEW FOR MY.ENDNOTE.COM In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our servers from attacks and other attempts
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationComputer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings
Computer Security Principles and Practice Second Edition William Stailings Lawrie Brown University ofnew South Wales, Australian Defence Force Academy With Contributions by Mick Bauer Security Editor,
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities Agenda Information Security Management in Universities Recent
More informationWeighted Total Mark. Weighted Exam Mark
CMP4103 Computer Systems and Network Security Period per Week Contact Hour per Semester Weighted Total Mark Weighted Exam Mark Weighted Continuous Assessment Mark Credit Units LH PH TH CH WTM WEM WCM CU
More informationVersion 1.0. Ratified By
ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience
More informationINFORMATION SECURITY PROCEDURES
INFORMATION AN INFORMATION SECURITY PROCEURES Parent Policy Title Information Security Policy Associated ocuments Use of Computer Facilities Statute 2009 Risk Management Policy Risk Management Procedures
More informationTABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7
PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationSecurity Assessment Report
Security Assessment Report Prepared for California State Lottery By: Gaming Laboratories International, LLC. 600 Airport Road, Lakewood, NJ 08701 Phone: (732) 942-3999 Fax: (732) 942-0043 www.gaminglabs.com
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 27001 Lead Auditor The objective of the Certified ISO/IEC 27001 Lead Auditor examination is to ensure that the candidate has the knowledge and the skills to
More informationBest Practices, Procedures and Methods for Access Control Management. Michael Haythorn
Best Practices, Procedures and Methods for Access Control Management Michael Haythorn July 13, 2013 Table of Contents Abstract... 2 What is Access?... 3 Access Control... 3 Identification... 3 Authentication...
More informationULH-IM&T-ISP06. Information Governance Board
Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible
More informationSecurity Basics: A Whitepaper
Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview
More informationHIPAA Audit Risk Assessment - Risk Factors
I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your
More informationSRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective for all the audits commencing on or after 01 April 2010) CONTENTS
More informationINTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
INTERNATIONAL PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (This Statement is effective) CONTENTS Paragraph Introduction... 1 5 Skills and Knowledge... 6 7 Knowledge
More informationCourse: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management
Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security
More informationElectronic Medical Records: Legal and Ethical Implications for Patients
Electronic Medical Records: Legal and Ethical Implications for Patients Linda A. Simunek, RN, PhD, JD Executive Director, Doctoral Success Grant and Adjunct Professor in Law in Healthcare Education, Fischler
More informationAn Approach to Records Management Audit
An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION
More informationPutnam/Northern Westchester BOCES Internal Audit Report on Information Technology
6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1
More informationRisk Assessment Guide
KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact
More informationSecurity Software Engineering: Do it the right way
Proceedings of the 6th WSEAS Int. Conf. on Software Engineering, Parallel and Distributed Systems, Corfu Island, Greece, February 16-19, 2007 19 Security Software Engineering: Do it the right way Ahmad
More informationIT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)
IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationEXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam
EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More information